CVE-2024-5547

Directory Traversal in stitionai/devika

CVSS 7.5 HIGHEPSS 1.0%CWE-23

Vexday Risk Score

21Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 7.5EPSS 1.0%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

27 Jun 2024Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

A directory traversal vulnerability exists in the /api/download-project-pdf endpoint of the stitionai/devika repository, affecting the latest version. The vulnerability arises due to insufficient sanitization of the 'project_name' parameter in the download_project_pdf function. Attackers can exploit this flaw by manipulating the 'project_name' parameter in a GET request to traverse the directory structure and download arbitrary PDF files from the system. This issue allows attackers to access sensitive information that could be stored in PDF format outside the intended directory.

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected products

stitionai · stitionai/devika

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/stitionai/devika/commit/6acce21fb08c3d1123ef05df6a33912bf0ee77c2 https://huntr.com/bounties/7ea0eb5f-7643-4452-bc93-a225e2090283